The GDPR is being enforced as of yesterday. It's been a law for two years, but fines are now going to be assessed for violations. If you're like me, you've been getting a lot of different types of privacy policy updates, new opt-in requests in email, some notices in email with the burden on you to opt-out, and more. A few people joked about how many they've been getting, and certainly I've seen no shortage of updates. I've even seem some updates to services that don't allow access to content, such as YouTube, without clicking some accept button.

It's interesting to see the various approaches being taken. Last week in London, Redgate held a SQL Privacy Summit and I was honored to host a panel discussion from various industry experts. They had different takes on the GDPR, though most of these people were pro-GDPR, happy that some proper data handling was being enforced. That's the attitude that many DBAs in know in the EU, as they now have some legal reasoning why we should implement better data handling and security practices.

However, I've also seen that there are different interpretations of how to deal with data. Do you need to ask all customers to opt-in? Can you continue to use data in development and test environments? Can you process data as you already have if you disclose what you're doing? Is the burden on the company or the data subject? I'm sure we'll see various decisions and rulings from regulatory authorities across the next year as data subjects complain and companies try to do the minimum level of work.

The idea of data being somewhat co-owned by a business and an individual is fascinating  I see both sides, and I certainly would like to have some rights over data about me. I definitely think my address, my date of birth, and more should be secured and companies that use my data should have some liability if it's disclosed. I'm not sure about rights over how it's used, but that's certainly a discussion that's coming.

I've already seen one organization file suit over access to data, because they're being forced to consent to handling that they disagree with. That is going to be something I watch carefully. Can a company change their terms arbitrarily, ask me to consent in a take-it-or-leave-it fashion, and withhold access to data? Do I own my messages and data stored in services? Is it co-owned?

Like it or not, the GDPR is forcing us to have some discussions and debates about digital information, which is good.

We're mostly ready at Redgate, and certainly continuing to do work. Ultimately, our reading of the GDPR (with some backing from auditors), is that we don't have to be perfect today, but we need to be making an effort and be able to prove that we are doing so. So on a day after the GDPR went into enforcement, what are you doing? Do you think you're ready?